Sigint 2349 2#272
Conversation
polaris_prComment_enabled
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| services: | ||
| web: | ||
| build: . |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container allows filesystem write
Low CWE-552
The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.
How to fix
Explicitly set the read-only attribute of the service to true to create a service container with a read-only filesystem.
| - "4000:4000" | ||
|
|
||
| mongo: | ||
| image: mongo:4.4 |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container allows filesystem write
Low CWE-552
The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.
How to fix
Explicitly set the read-only attribute of the service to true to create a service container with a read-only filesystem.
| version: "2" | ||
| services: | ||
| goof: | ||
| build: ../../Downloads/gitlab-goof-automation-master |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container allows filesystem write
Low CWE-552
The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.
How to fix
Explicitly set the read-only attribute of the service to true to create a service container with a read-only filesystem.
| depends_on: | ||
| - goof-mongo | ||
| goof-mongo: | ||
| container_name: goof-mongo |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container allows filesystem write
Low CWE-552
The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.
How to fix
Explicitly set the read-only attribute of the service to true to create a service container with a read-only filesystem.
| ports: | ||
| - "27017:27017" | ||
| good-mysql: | ||
| container_name: goof-mysql |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container allows filesystem write
Low CWE-552
The docker service container is configured to permit writing to the root filesystem. This makes some security attack vectors such as privilege escalation, denial-of-service or authorization bypass possible since the container instance's filesystem can be tampered with.
How to fix
Explicitly set the read-only attribute of the service to true to create a service container with a read-only filesystem.
|
|
||
| services: | ||
| web: | ||
| build: . |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container privilege escalation allowed
Low CWE-269
The Docker Compose file sets the no-new-privileges attribute to false or omits it as the default value is false. This doesn't restrict the container from acquiring additional privileges via SUID or SGID bits. This allows privilege escalation, meaning a user can set the security context of the container and can perform root-level operations.
How to fix
Disable container privilege escalation by explicitly setting no-new-privileges to true.
| - "4000:4000" | ||
|
|
||
| mongo: | ||
| image: mongo:4.4 |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container privilege escalation allowed
Low CWE-269
The Docker Compose file sets the no-new-privileges attribute to false or omits it as the default value is false. This doesn't restrict the container from acquiring additional privileges via SUID or SGID bits. This allows privilege escalation, meaning a user can set the security context of the container and can perform root-level operations.
How to fix
Disable container privilege escalation by explicitly setting no-new-privileges to true.
| version: "2" | ||
| services: | ||
| goof: | ||
| build: ../../Downloads/gitlab-goof-automation-master |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container privilege escalation allowed
Low CWE-269
The Docker Compose file sets the no-new-privileges attribute to false or omits it as the default value is false. This doesn't restrict the container from acquiring additional privileges via SUID or SGID bits. This allows privilege escalation, meaning a user can set the security context of the container and can perform root-level operations.
How to fix
Disable container privilege escalation by explicitly setting no-new-privileges to true.
| depends_on: | ||
| - goof-mongo | ||
| goof-mongo: | ||
| container_name: goof-mongo |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container privilege escalation allowed
Low CWE-269
The Docker Compose file sets the no-new-privileges attribute to false or omits it as the default value is false. This doesn't restrict the container from acquiring additional privileges via SUID or SGID bits. This allows privilege escalation, meaning a user can set the security context of the container and can perform root-level operations.
How to fix
Disable container privilege escalation by explicitly setting no-new-privileges to true.
| ports: | ||
| - "27017:27017" | ||
| good-mysql: | ||
| container_name: goof-mysql |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container privilege escalation allowed
Low CWE-269
The Docker Compose file sets the no-new-privileges attribute to false or omits it as the default value is false. This doesn't restrict the container from acquiring additional privileges via SUID or SGID bits. This allows privilege escalation, meaning a user can set the security context of the container and can perform root-level operations.
How to fix
Disable container privilege escalation by explicitly setting no-new-privileges to true.
|
|
||
| services: | ||
| web: | ||
| build: . |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container requests ability to craft raw network packets
High CWE-269
The Docker container requests the NET_RAW capability, either explicitly or by default, granting access to the host's network interfaces.
How to fix
Explicitly remove the NET_RAW capability by adding either NET_RAW or ALL to the cap_drop list and avoiding the NET_RAW capability in the cap_add list.
| - "4000:4000" | ||
|
|
||
| mongo: | ||
| image: mongo:4.4 |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container requests ability to craft raw network packets
High CWE-269
The Docker container requests the NET_RAW capability, either explicitly or by default, granting access to the host's network interfaces.
How to fix
Explicitly remove the NET_RAW capability by adding either NET_RAW or ALL to the cap_drop list and avoiding the NET_RAW capability in the cap_add list.
| version: "2" | ||
| services: | ||
| goof: | ||
| build: ../../Downloads/gitlab-goof-automation-master |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container requests ability to craft raw network packets
High CWE-269
The Docker container requests the NET_RAW capability, either explicitly or by default, granting access to the host's network interfaces.
How to fix
Explicitly remove the NET_RAW capability by adding either NET_RAW or ALL to the cap_drop list and avoiding the NET_RAW capability in the cap_add list.
| depends_on: | ||
| - goof-mongo | ||
| goof-mongo: | ||
| container_name: goof-mongo |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container requests ability to craft raw network packets
High CWE-269
The Docker container requests the NET_RAW capability, either explicitly or by default, granting access to the host's network interfaces.
How to fix
Explicitly remove the NET_RAW capability by adding either NET_RAW or ALL to the cap_drop list and avoiding the NET_RAW capability in the cap_add list.
| ports: | ||
| - "27017:27017" | ||
| good-mysql: | ||
| container_name: goof-mysql |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Container requests ability to craft raw network packets
High CWE-269
The Docker container requests the NET_RAW capability, either explicitly or by default, granting access to the host's network interfaces.
How to fix
Explicitly remove the NET_RAW capability by adding either NET_RAW or ALL to the cap_drop list and avoiding the NET_RAW capability in the cap_add list.
| platform: linux/x86_64 | ||
| image: mysql:5 | ||
| environment: | ||
| MYSQL_ROOT_PASSWORD: root |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Hard-coded secret
Low CWE-798
A secret, such as a password, cryptographic key, or token is stored in plaintext directly in the source code, in an application's properties, or configuration file. Users with access to the secret may then use the secret to access resources that they otherwise would not have access to. Secret type: Password (generic).
How to fix
Avoid setting sensitive configuration values as string literals. Instead, these values should be set using variables with the sensitive data loaded from an encrypted file or a secret store.
|
|
||
| services: | ||
| web: | ||
| build: . |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Least privilege violation
Low CWE-284
The Docker container is not configured to drop all default capabilities and then add only required one. Thus the container may be granted excessive privileges which violate the least privilege principle.
How to fix
Remove all the default capabilities from the list of capabilities by setting the cap_drop value to ALL and then add only specific capabilities needed by a container.
| - "4000:4000" | ||
|
|
||
| mongo: | ||
| image: mongo:4.4 |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Least privilege violation
Low CWE-284
The Docker container is not configured to drop all default capabilities and then add only required one. Thus the container may be granted excessive privileges which violate the least privilege principle.
How to fix
Remove all the default capabilities from the list of capabilities by setting the cap_drop value to ALL and then add only specific capabilities needed by a container.
| version: "2" | ||
| services: | ||
| goof: | ||
| build: ../../Downloads/gitlab-goof-automation-master |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Least privilege violation
Low CWE-284
The Docker container is not configured to drop all default capabilities and then add only required one. Thus the container may be granted excessive privileges which violate the least privilege principle.
How to fix
Remove all the default capabilities from the list of capabilities by setting the cap_drop value to ALL and then add only specific capabilities needed by a container.
| depends_on: | ||
| - goof-mongo | ||
| goof-mongo: | ||
| container_name: goof-mongo |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Least privilege violation
Low CWE-284
The Docker container is not configured to drop all default capabilities and then add only required one. Thus the container may be granted excessive privileges which violate the least privilege principle.
How to fix
Remove all the default capabilities from the list of capabilities by setting the cap_drop value to ALL and then add only specific capabilities needed by a container.
| ports: | ||
| - "27017:27017" | ||
| good-mysql: | ||
| container_name: goof-mysql |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Least privilege violation
Low CWE-284
The Docker container is not configured to drop all default capabilities and then add only required one. Thus the container may be granted excessive privileges which violate the least privilege principle.
How to fix
Remove all the default capabilities from the list of capabilities by setting the cap_drop value to ALL and then add only specific capabilities needed by a container.
| - goof-mongo | ||
| goof-mongo: | ||
| container_name: goof-mongo | ||
| image: mongo |
There was a problem hiding this comment.
Automated PR Comment From coverity
Coverity Issue - Unspecified software version
Low CWE-829
The Docker Compose file does not explicitly set image attribute with a specific stable version. Pinning the version of the base image will make the container being built more predictable. Relying on the latest version may silently inherit newer packages, which in the best case may affect application reliability and in the worst case may introduce vulnerabilities.
How to fix
Explicitly set the image attribute to a specific stable version.
1 participant
No description provided.